CVE-2022-41852 JXPath may be vulnerable to a remote code execution attack when using functions that process XPath strings. Compile() and compilePath() are safe.

An attacker can craft an XPath string to load any class of his/her choice using an external source, such as an XML file.

JXPath is used by many applications and components, such as , , Microsoft SharePoint Search, , , Apache Karaf, , and many more. Applications using JXPath are recommended to upgrade to the latest version without skipping any release. An upgrade to JXPath 1.8.8.16 or later is strongly recommended.

Impacts of CVE-2022-41852

The vulnerability allows an attacker to craft an XPath string to load any class of his/her choice using an external source, such as an XML file. Depending on the context, this vulnerability can cause a system crash or remote code execution.

How do I know if my application is affected by JXPath Vulnerability?

-If your application uses JXPath, it is recommended that you upgrade to the latest release.
- If you are not sure whether your application uses JXPath, you can use the following code to determine if your application is affected by the vulnerability.

if (function_exists('jxpath_version')):

How to upgrade JXPath, step by step

Upgrade your JXPath:
* Upgrade JXPath to 1.8.8.16 or later - https://jxpath.java.net/download * Download and extract the new JXPath release - https://jxpath.java.net/download * Update building instructions - https://jxpath.java.net/download#building-instructions

What’s new in JXPath 1.8.8.16

The new version of JXPath includes a number of security updates, including the following:
* Fixes for CVE-2022-41852, which allows an attacker to craft an XPath string to load any class of his/her choice using an external source, such as an XML file.
* Fixes for CVE-2018-3629 and CVE-2018-3627, which allow attackers to bypass XSLT validation by inserting code during XML parsing.
* Fixes for CVE-2018-1002105, which allows remote attackers to trigger memory corruption on Windows and Linux systems via crafted data.
* Fixes for CVE-2017-17506 and CVE-2017-17507, which allow remote attackers to trigger type confusion in Java applets.
* Numerous fixes that help prevent buffer overflows when processing certain types of malformed input data.

Timeline

Published on: 10/06/2022 18:17:00 UTC
Last modified on: 10/07/2022 19:54:00 UTC

References

• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41852